CVE-2023-47130 Information

Description

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Reference

https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06 https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection